Important - Auth0 Public Disclosure

We have created a new Deprecation Guide to help you select the best migration path for your application(s) if you are impacted by the deprecation notice.

We have also created a Deprecation Error Reference guide to provide assistance with searching your logs for deprecation related messages as well as explanations of potential causes and resolutions for particular items.

During the past few months, we have been informing you about the deprecation of Auth0 endpoints (usernamepassword/login, /ssodata) that were scheduled to be removed from service on April 1, 2018 (recently extended to July 16, 2018).

The reason for these notifications, as you can read in our blog post below, was that we had discovered two vulnerabilities affecting those endpoints and wanted to provide our customers with sufficient notice and time to migrate to new, more secure endpoints before public disclosure of the vulnerabilities. During this process, our engineering team was able to develop a back-end mitigation which significantly reduced the severity of the vulnerabilities, which allowed us to extend the Removal of Service date. However, we still encourage you to migrate your applications to the latest version of Lock 11 and Auth0.js 9, if you have not already done so.

This update is to inform you that we have publicly announced those vulnerabilities today, in keeping with responsible disclosure best practices. You can read about this in our blog post, or review the published CVEs: CVE-2018-6873, CVE-2018-6874.

Our recommendation to customers is to use Universal Login, (this guide Universal vs Embedded Login explains the pros and cons in more detail). See Migrating from Embedded to Universal here: Migrating to Universal Login 18.

If you need to use Embedded Login, follow the guides below:

For further information, please refer to our blog post and FAQ.

If you’ve got any questions regarding that, let us know!